# PowerShell脚本：锁定数据库文件权限
Write-Host "Executing database file permission lockdown..."

# 获取当前ACL
$acl = Get-Acl "endo_sight_uc.db"
Write-Host "当前权限："
$acl.Access | ForEach-Object {
    Write-Host "  $($_.IdentityReference.Value): $($_.FileSystemRights)"
}

# 移除Authenticated Users权限
$authUsersRule = $acl.Access | Where-Object { $_.IdentityReference.Value -eq "NT AUTHORITY\Authenticated Users" }
if ($authUsersRule) {
    $acl.RemoveAccessRule($authUsersRule)
    Set-Acl "endo_sight_uc.db" $acl
    Write-Host "Removed Authenticated Users permission"
}

# 移除Users权限
$usersRule = $acl.Access | Where-Object { $_.IdentityReference.Value -eq "BUILTIN\Users" }
if ($usersRule) {
    $acl.RemoveAccessRule($usersRule)
    Set-Acl "endo_sight_uc.db" $acl
    Write-Host "Removed Builtin Users permission"
}

# 同样处理WAL和SHM文件
foreach ($file in @("endo_sight_uc.db-wal", "endo_sight_uc.db-shm")) {
    if (Test-Path $file) {
        $acl = Get-Acl $file
        $authUsersRule = $acl.Access | Where-Object { $_.IdentityReference.Value -eq "NT AUTHORITY\Authenticated Users" }
        if ($authUsersRule) {
            $acl.RemoveAccessRule($authUsersRule)
            Set-Acl $file $acl
            Write-Host "Removed Authenticated Users permission for $file"
        }
        $usersRule = $acl.Access | Where-Object { $_.IdentityReference.Value -eq "BUILTIN\Users" }
        if ($usersRule) {
            $acl.RemoveAccessRule($usersRule)
            Set-Acl $file $acl
            Write-Host "Removed Builtin Users permission for $file"
        }
    }
}

Write-Host "Database file permission lockdown completed!"